xref: /openbmc/linux/security/integrity/ima/Kconfig (revision ecba1060)
1# IBM Integrity Measurement Architecture
2#
3config IMA
4	bool "Integrity Measurement Architecture(IMA)"
5	depends on ACPI
6	select SECURITYFS
7	select CRYPTO
8	select CRYPTO_HMAC
9	select CRYPTO_MD5
10	select CRYPTO_SHA1
11	select TCG_TPM
12	select TCG_TIS
13	help
14	  The Trusted Computing Group(TCG) runtime Integrity
15	  Measurement Architecture(IMA) maintains a list of hash
16	  values of executables and other sensitive system files,
17	  as they are read or executed. If an attacker manages
18	  to change the contents of an important system file
19	  being measured, we can tell.
20
21	  If your system has a TPM chip, then IMA also maintains
22	  an aggregate integrity value over this list inside the
23	  TPM hardware, so that the TPM can prove to a third party
24	  whether or not critical system files have been modified.
25	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
26	  to learn more about IMA.
27	  If unsure, say N.
28
29config IMA_MEASURE_PCR_IDX
30	int
31	depends on IMA
32	range 8 14
33	default 10
34	help
35	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
36	  that IMA uses to maintain the integrity aggregate of the
37	  measurement list.  If unsure, use the default 10.
38
39config IMA_AUDIT
40	bool
41	depends on IMA
42	default y
43	help
44	  This option adds a kernel parameter 'ima_audit', which
45	  allows informational auditing messages to be enabled
46	  at boot.  If this option is selected, informational integrity
47	  auditing messages can be enabled with 'ima_audit=1' on
48	  the kernel command line.
49
50config IMA_LSM_RULES
51	bool
52	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
53	default y
54	help
55	  Disabling this option will disregard LSM based policy rules.
56